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Claims 

This listing of claims will replace all prior versions and listings of claims in the 
application: 

I . (Currently amended) A method for determining unauthorized n e twork usage 
of a data com munication network- comprising the steps of: 

monitoring packets exchanged between two hosts on the data comniunication 
network: 

identifydng a flow corresponding to a predetermined plurality of packets 
exchaD j ged between the two hosts that relate to a single service and is characterized bv a 
predetermined characteristic: 

storing information associating a service that is associated with an identified flow 
with at least one of the hosts that is associated with the identified flow, said service 
comprising an observed service; 

determining if an observed service associated with a particular host is out of 
profile bv comparing the service to a prestored allowed network services profile for the 
particular host: and 

in response to determination that an observed service associated with a particular 
host is out of profile, providing an output indicating that the observed service is out of 
profile. 

oapnmng pack e t h e ader information fiom coimnimicationo on a notwork; 
d e termining valid oonn e otions or data flows; 

d e termining hosts on th e network that act as a - oliont and Gor\^or for oaoh valid 
oonnootion or data flow; and 

d e t e rmining n e twork sorvico s feeing uood by ev e ry hoot in a pred e finod group of 

hosts. 
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2. (Currently amended) The method ofclaiml,furthercomprisingthe step of 
displaying to a user indicia corresponding to the occuirence of particular indioatiiig 
obs e rv e d network services observed in connection with one or Tnore hosts during a 
monitoring period. 

3. (Cuirently amended) The method of claim 2, further comprising the step of 
displaying an indication that a predetermined oftho observed network service aopvioea is 
in profile and observed during the monitoring period, is in profile and was not observed 
during the monitoring period, or is not in profile which woro proviously o ee n during tho 
proa e ntment p e riod , 

4. (Currently amended) The method of claim 1, furthtt- comprising the step steps 

of: 

storing on ollowod notwerlfrs e rvio e s profil e ; 

comparing allowod notworic Gorvioes with obs e rv e d network Qorvioos for tho 
parrioulor ho s t; and 

generating an alarm when an observed network service is not an allowed network 
service for the particular host > 

5. (Currently amended) The method of claim 1 5, further comprising the step of 
displaying indicia indicating whether fl^e an observed network oorviooo service is not an 
allowed network service for a particular host . 

6. (Currently amended) The method of claim i [4], further comprising the step of 
building the allowed a network services servioo profile based upon network services 
observed during a profile generation time period. 
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7. (Currently amended) The method of claim 1 [4], further comprising the step of 
allowing user editing of the allowed network services profile for particular hosts , 

8. (Currently amended) The method of claim i [4], further comprising the step of 
allQwine user editing of the allowed network services profile for a block of network 
flddjiefifl addresses corresponding to a plurality of hosts. 

9. (Currently amended) A method for determining unauthorized n e twork usage 
of a data com munication network, comprising the steps of: 

eapturing packet header informotion-from oommumoationQ on a n e twork; 
monitoring packets exchang^ed between two hosts on the data communication 
network: 

identifying a flow corresponding to a predetermined pltiraKtv of packets 
exchanged between the_twoJmsts_that_relate_to a_single service and is characterized bv a 
predetermined characteristic: 

storing information associating a service diat is associated with an identified flow 
with at least one of the hosts that is associated with the identified flow, said service 
comprising an observed service: 

detennining hosts on the network that act as a client and server for each identified 
valid Qorm e otion or data flow; 

determining an allowed network services profile comprising information 
indicating particular network services that are authorized for use bv each one of a 
plurality of hosts b e ing us e d by ev e ry host in a predefined group of hosts; and 

generating an alarm in response to determination that ^^p&H an observed network 
service for a particular host in the group of hosts is not b e ing included in the a? allowed 
network services service profile. 
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1 0. (Currently amended) A metfiod for detennimng unauthorized n e r ^ ^oik usage 
of a data coinmunication network, comprising the steps of: 

capturing pack e t h e ad e r information from coromunioations on a network; 
d e t e maij^atg v^ttid^oaa e oti e n fi- or-daia - flows; 

motutoring packets exchanged between two hosts on the data cominunicatiQn 
network: 

identifvinp: a flow corresponding to a predetennined plurality of packets 
exchanged between the two hosts that relate to a single service and is characterized bv a 
predetermined characteristic: 

afoying infoimation associating a service that is associated with m identified flow 
with at least one of the hosts that is associated with the identifi ed flow, said service 
comprising an observed service: 

storing an allowed network services s e rvic e port profile for each one of apluralitv 
of hosts in a predefined host group, said profile including information identifying port 
numbers that are audiorized for use by each host in the host group: 

determining the port numbers of observed network services s e rvic e port numb e rs 
b e iag used by each ovory host in the predefined host group for each valid conn e ction or 
data identified flow; 

comparing the allowed network services ^emee port profile with observed 
network service port numbers; and 

generating an alarm when an fee observed network service port number is not 
included in the allowed network services service port profile. 
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1 1 . (Cuirently amended) The method of claim 10, fhrtfaer comprising the step of 
displaying indicia indicating the observed network service port numbers during a preseet 
monitoring period. 

12. (Currently amended) The method of claim 11, further comprising the step of 
displaying indications that an indication of the observed network service port numbers 
are in profile and observed during the monitoring period, are in profile but not vet 
observed in the monitoring period or are not in profile wliioh wore provioualv -fl oon 
during th e prosontmont p e riod . 

13. (Currently amended) The method of claim 12, further comprising the step of 
displaying indicia indicating fliai whether th e observed network service port numbers are 
is included in the allowed network services sorvioo port profile. 

14. (Currently amended) The method of claim 10, further comprising the step of 
building the network services s e rvice port profile based upon oboorvod network 
service ports observed during a profile generation time period. 

15. (Cuirently amended) The method of claim 10, further comprising the step of 
allowing user editing of the allowed network services serviee port profile for the hosts 
group . 

16. (Currently amended) The mefliod of claim 15, fttrther comprising the step of 
allowinfljiser editing of the allowed network services s eg^&Q port profile for a block of 
network addresses corresponding to the hosts group . 

17. (Currently amended) A system for determining unauthorized netw^ js usage 
of a data communication network, comprising: 
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a mODitoring device includii^^ a processor operative to carry out the steps ofi 

TwoTiitoring packets exchanged between two hosts on the data 
coTtimum'catioTi network: 

identifying a flow corresponding to a predetermined plurality of packets 
exchanged between the two hosts that relate to a single service and is characterized by a 
predetermined characteristic: 

storing infonnation associating a service that is associated with an 
identified flow with at least one of the hosts that is associated with the identified flow, 
said service comprising an observed service: 

determining if an observed service associated with a particular host is out 
of profile by comparing the service to a prestored allowed network services profile for the 
particular host: and 

in response to determination that an observed service associated with a 
particular host is out of profile, providing an output indicating that the observed service is 
out of profile. 

oporoblo to-ob s orvo - oommunioation - paokota on anotwork ; 

a Gomputor systom operable to oi^turo poekot - hoader information fi-om obs e rv e d 
communication packets ; 

tho - oomputor-syatom - QpoFftblo - to dotonnino valid oonnootioiiG or data flows; 

tho oomputcar GyQtoan oporoblo to d e t e rmin e hoste on tii e n e twork that act as a 
oliont and sorvor for oaoh valid oonnootionor data fliow; and 

th e- QMip ^ it e r - fiystem op e rabl e to d e t e nnin e n e twork services being u s odi ^ and 

th e comput e r syst e m operabl e to gonorato on alarm whon an observ e d n e twoik 

Gorvioo iG not - an - ^low e d network s ervic e , 

18. (Currently amended) The system of claim 17, further comprising a monitor 
coupled to the monitoriag device and operative comput e r system opoFa b te to display 
indicia indicating observed network services during a monitoring period. 
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19. (Currently amended) The $y$tem of olaim 1 8, fimhor oompriciag wherein the 
monitor is farther operative op e rabl e to display indicia indicating that wh e ther th e an 
observed network service eefv^eefi is not an allowed network service. 

20. (Currently amended) The system of claim 17, wherein the process is further 
operative ftirtber comprising th e comput e r system operablo to build the prestored a 
network services ser vi e e profile based upon network services observed during a profile 
generation time period. 

21. (Currently amended) The system of claim 17, further comprising an editor 
coupled to the monitoring device and operative to allow user editing of oouplo to tho 
comput e r system op e rabl e to e dit the allowed network services profile. 

22. (Currently amended) The system of claim 21 , wherein the editor is further 
operative to allow user editing of fkrther comprising th e e ditor operablo to edit the 
allowed network services profile for a block of network addresses address . 

23. (New) A system for analyzing network communication traffic and 
determining unauthorized use, comprising: 

a processor operative to: 

a) monitor the communication of packets on a data 
communication netwoik; 

b) classify the monitored packets into flows, wherein a flow 
corresponds to a predetermined plurality of packets 
exchanged between two hosts that axe associated with a 
single service on the network; 
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c) maintain a flow data structure for stormg data 
corresponding to a plurality of Sows; 

d) maintain a host data stmcture for storing an allowed 
network services profile for at least one host; and 

e) analyze the flows in the flow data structure in order to 
determine if an observed service associated with a 
particular host is out of profile by comparing the service to 
the allowed network services profile for the particular host; 
and 

e) in response to determination that an observed service 

associated with a particular host is out of profile, providing 
an output indicating that the observed service is out of 
profile; 

a memory coupled to the processor and operative to store the flow data 
structure and the host data structure; and 

a network interface coupled to the processor operative to receive packets 
oh the data conmiunication network. 

24- (Nfew) The method or system of claims 1, 9, 10, 17, or 23, wherein the 
predetermined characteristic of a flow is selected from the group comprising: the elapse 
of a predetermined period of time wherein no packets are exchanged between two hosts, 
the occmxence of a FIN flag, predetermined characteristics of traffic on a given pon, the 
occurrence of a RESET packet, data sent by TCP and acknowledged, UDP packets that 
are not rejected, and local multicast or broadcast. 

25, (New) The method or system of claims 1, 9, 10, 17, or 23, wherein the step of 
providing an output or alarm comprises the step of commnnicating a message to a 
firewall to drop packets going to or from the particular host. 
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26. (New) The metiiod or system of claims 1, 9, 10, 17, or 23, wherein the output 
or alarm is a notification lo a network administrator, 

27. (New) The method or system of claims 1, 9, 10, 17, or 23, wherein tiie output 
or alarm is provided to a utilization component selected from the group comprising: 
network security device, email, SNMP trap message, beeper, cellphone, firewall, network 
monitor, user interface display to an operator, 

28. (New) The method or system of claims 1, 9, 10, 17, or 23, wherein the 
single service comprises a port number remaining constant for a plurality of packets. 

29. (New) The method or system of claims 1, 9, 10, 17, or 23, wherein the steps 
are carried cut in a monitoring ^pliance 

30. (New) The method of claim 29, wherein the monitoring ^pliance monitors 
communications among inside hosts and outside hosts. 

31. (New) The method ofclaim 29, wherein the monitoring appliance is coupled 
to a network device. 

32. (New) The method ofclaim 31, wherein the network device is selected firom 
the group comprising: router, switch, hub, tap. 

33 . (New) The method of claim 3 1 , wherein the network device is a network 
security device. 
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34. (New) The method or system of claims 1, 9> 10, 17, or 23. wherein the 
monitoring of packets comprises monitoring packet header information only, 

35. (New) The method or system of claims 1, 9, 10, 17, or 23, wherein the 
miauthori^ed use is from an inside address or from an outside address. 

36. (New) The method or system of claims 1, 9, 10, 17, or 23, wherein a service 
is associated with an identified flow in response to initiation of commimications between 
the two hosts. 
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